Hacker News new | ask | show | jobs
by rockskon 6 hours ago
Zero Knowledge Proofs are worthless for this.

Either they validate so little information that a single homeless person can authenticate the entire country or they validate so much information as to not have a significant privacy guarantee.

There is no in-between for ZKP validating someone's age.
1 comments
teravor 6 hours ago
worthless is too strong.

the truth is that the two extremes you listed can be titrated.

if you use nullifiers you can trade some privacy for some security. basically you convert your true identity into a private token which you can use to authenticate aspects of yourself, the price being that the token can be tracked with some effort across services. better than just using your identity at least. if a token/nullifier is abused it can be revoked and then you have to jump through a bunch of hoops to get another.

there are some other trade offs that can be made.

link
rockskon 5 hours ago
Okay - so you verify age and what else?

What combination of details can you validate on that is meaningfully privacy-preserving and couldn't result in wide-spread re-use of tokens?

Additionally - what would prevent some kids from getting a homeless man in the city to hand them his ID, get a facial scan, and everything else you can think of to generate a token and then pass that token around?

ZKP are a cryptography-nerd's joy but are are categorically unsuitable for the purpose of age verification. I stand by this without the slightest reservation.

link
teravor 5 hours ago
the same thing that prevents them from doing reuse right now: platform detection mechanisms. the difference is that right now the identity of the subject is known whereas with ZKP (nullifier approach) only the dirty token is known and where that token was used.
link
rockskon 5 hours ago
So....what exactly would platform detection mechanisms be basing their decisions off of that wouldn't defeat the entire privacy-preserving premise of ZKP?
link
teravor 5 hours ago
multiple use of the same token on multiple accounts...?

tying multiple accounts and services together isn't ideal but its inarguably better than tying your real world identity to every single service.

link
rockskon 5 hours ago
Wait - so you're advocating for use of a persistent identifier tied to a person? How is that any different than what advertising networks do right now beyond giving them additional guaranteed information of your age bracket?

To clarify - it's not cryptographically necessary to present the same token for each and every transaction and serves to categorically defeat the entire privacy guarantee of ZKP.

It also makes it trivial to associate your ZKP token with your real identity.

link